Last week it was observed that some of the applications were retrieving secrets from Amazon Secrets Manager which were scheduled to be deleted.
These applications were not updated to use new secrets from AWS Secrets Manager.
To avoid such incidents in the future, Management has asked you to create a notification when there is an attempt to access secrets pending deletion. Which of the following steps can be used to create this notification? (Select Three)
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.Correct Answers: C, E and F.
A combination of AWS CloudTrail, Amazon CloudWatch Logs and Amazon SNS can be used to create an alarm that will notify any attempts to access a version of a secret pending deletion.
Following steps can be configured for this,
Log AWS Secrets Manager API calls with AWS CloudTrail and Configure CloudTrail log file delivery to CloudWatch logs.
Create the CloudWatch alarm to generate a notification when a Secrets Manager “GetSecretValue”API operation requests to access a version of a secret pending deletion.
Monitor CloudWatch for deleted secrets.
Amazon SNS will notify when there is an AWS Secrets Manager API call to access secrets that are pending deletion.
Option A is incorrect as it should monitor deleted secrets and not active secrets.
Option B is incorrect as it should log API calls and not NON-API calls.
Option D is incorrect as the Secret Manager API should be “GetSecretValue” and not “ListSecretValue”.
For more information on Monitoring secrets with AWS Secrets Manager, refer to the following URL,
https://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring.htmlTo create a notification when there is an attempt to access secrets pending deletion in AWS Secrets Manager, you can follow these three steps:
Log AWS Secrets Manager API calls with AWS CloudTrail and configure CloudTrail log file delivery to CloudWatch logs:
AWS CloudTrail can be used to log all API calls made to Secrets Manager, including calls to retrieve secrets. By configuring CloudTrail to deliver these logs to CloudWatch logs, you can create a centralized location for all API call logs. This step will allow you to view and monitor all calls made to Secrets Manager.
Option C - Log AWS Secrets Manager API calls with AWS CloudTrail and configure CloudTrail log file delivery to CloudWatch logs is the correct answer.
Create the CloudWatch alarm to generate a notification when a Secrets Manager "GetSecretValue" API operation requests to access a version of a secret pending deletion:
A CloudWatch alarm can be set up to monitor specific API calls made to Secrets Manager, such as the "GetSecretValue" API call. This alarm can be configured to generate a notification when a version of a secret pending deletion is accessed.
Option E - Create the CloudWatch alarm to generate a notification when a Secrets Manager "GetSecretValue" API operation requests to access a version of a secret pending deletion is the correct answer.
Monitor CloudWatch for deleted secrets:
Monitoring CloudWatch for deleted secrets will not help in creating a notification for accessing secrets pending deletion. Instead, you can create an alarm for specific API calls that access a version of a secret pending deletion.
Option F - Monitor CloudWatch for deleted secrets is not a correct answer.
Note: